Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

App Flaws Allow Snoops to Spy On Tinder Users, Researchers Say

The use of HTTP for photo transport and a flaw in Tinder’s use of HTTPS can leave users exposed, Checkmarx says.

Researchers at Checkmarx say they have discovered a pair of vulnerabilities in the Tinder Android and iOS dating applications that could allow an attacker to snoop on user activity and manipulate content, compromising user privacy and putting them at risk.

Attackers can view a user’s Tinder profile, see the profile images they view and determine the actions they take, such as swiping left or right, if they are on the same wi-fi network as a target, according to a Checkmarx report released Tuesday.

“Other scenarios where an attacker can intercept traffic include VPN or company administrators, DNS poisoning attacks or a malicious internet service provider – to name a few,” researchers wrote.

One vulnerability lies in the fact that currently, both the iOS and Android versions of Tinder download profile pictures via insecure HTTP connections, Checkmarx said.

“Attackers can easily discover what device is viewing which profiles,” the researchers wrote. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.”

Researchers said the vulnerability also could allow an attacker to intercept and modify traffic. “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,” they said.

Checkmarx recommends all Tinder application traffic be moved to HTTPS. “One might argue that this affects speed quality, but when it comes to the privacy and sensitivity needed, speed should not be the main concern,” it said.

Tinder couldn’t immediately be reached for comment for this report.

Beyond the use of insecure HTTP, Checkmarx found an issue with Tinder’s use of HTTPS. Researchers call this vulnerability a “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take. This is done by checking the API server’s encrypted response payload size to determine the action,” researchers said.

For example, when a user swipes left on a profile picture, indicating a lack of interest in a profile, the API server delivers a 278 byte encrypted response. Swiping right, which means a user likes a particular profile, generates a 374 byte response, Checkmarx said.

Because Tinder member pictures are downloaded to the app via an insecure HTTP connection, it’s possible for an attackers to also view the profile images of those users being swiped left and right.

“User responses should not be predictable,” the researchers wrote. “Padding the requests and responses should be considered in order to reduce the information available to an attacker. If the responses were padded to a fixed size, it would be impossible to differentiate between them.”

It disclosed both vulnerabilities to Tinder prior to the report’s publication. Checkmarx calculated a CVSS base score of 4.3 for both vulnerabilities.

While it’s unclear whether an attacker has already exploited the vulnerabilities, doing so could expose Tinder users to blackmail and other threats, beyond an invasion of their privacy, Checkmarx said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.